Cross-Site Scripting (XSS) occurs when an attacker...

• A. The attacker inserts malicious script via input fields or URL parameters that are not properly sanitized
• B. The server misroutes requests
• C. A user accidentally downloads malware
• D. The attack is limited to server-side only

Answer: (A)

Cross-Site Scripting is a vulnerability where an attacker can inject malicious script into a web page that other users load because the application uses untrusted input in its output without proper escaping. This is why the correct answer points to the attacker inserting malicious script via input fields or URL parameters that are not properly sanitized—when user-supplied data is embedded into HTML or JavaScript without escaping, the browser executes that script in the victim’s session. The defense is to validate and sanitize input, encode output before placing it into pages, and apply a Content Security Policy to restrict script execution. Other options describe different issues (like routing problems or accidental malware downloads) that aren’t about injecting and running script in a browser through unsanitized input.